Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX Firewall and Blocking chat engines 2

Status
Not open for further replies.
CurtisDeprez

CurtisDeprez

MIS
Mar 4, 2003
4
US
I would like to block all chat engines on my PIX firewall, but I'm having problems doing it successfully. I have AOL blocked now but msn and yahoo are another story. These are the ports I have blocked so far.

If anyone has any suggestions, I would really appreciate them.

AOL Instant Messenger
5190 (outbound TCP)
login.oscar.aol.com

Microsoft .NET Messenger
1863 (outbound TCP)
5060 for Session Initiation Protocol (SIP) (TCP) §
1503 for Audio/Video, File Sharing and White Board (TCP) §
6891-6900 for File Transfer (TCP) §
3389 for Remote Assistance (TCP) §

Yahoo! Messenger
5050 (outbound TCP)
5101 (inbound TCP)
5100 for webcam (TCP)
5001 for voice (TCP)

 
Sort by date Sort by votes
I'll dig up a series of e-mails I had with Cisco on this some time back. Basically, you really can't use the PIX successfully. Nearly all the chat engines revert to port 80 and have dozens of servers that change IP addresses on a regular basis.

The only way to successfully stop online chat, that I know of, is a three pronged approach:

1) Content filtering firewall/intrusion prevention on the outside
2) Local software that either stops program installaion and URL acess
3) Education, policies and enforcement.

And then you still get the tricksters with proxies, SSH tunnels and the likes. It's a challenge for sure. "If you lived here, you'd be home by now!"

George Carlin
 
Upvote 0 Downvote
websense software will block it. It works with your PIX firewall, but it is kind of expensive.
 
Upvote 0 Downvote
Curtis,

I know this is PIX forum, but if your clients are all windows nt based, you can very easily set up group policy to block the executables of chat programs. I am a netadmin of a university wide computer lab (700 machines) that is used for academic use only, but students love to install their chat programs. The best way (inexpensive way that is) to block them off is using Win2k Group policy. However, this doesnt block java based chat.
 
Upvote 0 Downvote
If you run your own DNS servers internally, you can create msn.com, yahoo.com, and icq.com zones and only put in their MX records in it. Then the chatservers won't get resolved by the chat programs.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
285
Sameer258
Sameer258
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
247
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
209
Nitta84
Nitta84
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
113
hairlessupportmonkey
hairlessupportmonkey
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
61
xwray
xwray

Part and Inventory Search

Sponsor

Back
Top